HTML5 Modern Day Attack And Defence Vectors

Lately, A lot of people have been asking me the reason of my absence and not being active on RHA. The answer is that there are countless factors to which I have lost count myself. Had it been one, I might have remembered it. First of all i was very busy with my studies and also I had been working on my final year project because its right around the corner. All this work had been consuming a lot if my time and then came the task of promoting my upcoming book "Ethical Hacking and Penetration Testing Guide" which took about 10 months of time period to write. Along with it, i have been exploring new horizons with Web Application Firewalls and working on a tool to automatically bypass blacklist based WAF.

From a research point of view, I spent last four months researching on attack vectors with HTML5 and documented them in an easy to understand manner as a part of my semester project. However, i made several modifications later on to match the standards so that I could publish it on my blog.

IT has been more than six years since the advent of HTML5 (dated back 2008), and as the time has passed by we have seen more and more websites utilizing HTML5 features and have witnessed that technologies like flash and silverlight are dying slowly.

However, each of the HTML5 features could bring security issues if not used correctly, one of the major security issues with HTML5 is DOM Based XSS due to the heavy use of javascript in HTML5 based applications which would obviously be the prime highlight of this paper.

 Being a firm believer of free education, here I present to you "HTML5 Modern Day Attack And Defence Vectors" free of cost and free of ads. Last but not least, I would like to sincerely thank "lavakumar kuppan" for his tremendous help and without him the quality of the paper would have been compromised. I hope you find it helpful.

You can download the paper by clicking the "DOWNLOAD" button below:




What's next? 

I also spent some time in researching previously unknown vulnerabilities with Mobile browsers and applications. As soon as they are fixed, I would be disclosing couple of ZERO day vulnerabilities in various apps, browsers etc which i found during my encounter with Qmobile Noir A20 which uses a customized version of Android OS. So Stay Tuned.  

Timeline

6/29/2014 - Fixed spelling mistakes and references.  
7/7/2014 - Fixed more spelling and code formatting mistakes